function OptimizeSignatures() { global $g_DBShe, $g_FlexDBShe, $gX_FlexDBShe, $gXX_FlexDBShe; global $g_JSVirSig, $gX_JSVirSig; global $g_AdwareSig; global $g_PhishingSig; global $g_ExceptFlex, $g_SusDBPrio, $g_SusDB; AI_EXPERT == 2 && ($g_FlexDBShe = array_merge($g_FlexDBShe, $gX_FlexDBShe, $gXX_FlexDBShe)); AI_EXPERT == 1 && ($g_FlexDBShe = array_merge($g_FlexDBShe, $gX_FlexDBShe)); $gX_FlexDBShe = $gXX_FlexDBShe = array(); AI_EXPERT == 2 && ($g_JSVirSig = array_merge($g_JSVirSig, $gX_JSVirSig)); $gX_JSVirSig = array(); $count = count($g_FlexDBShe); for ($i = 0; $i < $count; $i++) { if ($g_FlexDBShe[$i] == '[a-zA-Z0-9_]+?\\(\\s*[a-zA-Z0-9_]+?=\\s*\\)') { $g_FlexDBShe[$i] = '\\((?<=[a-zA-Z0-9_].)\\s*[a-zA-Z0-9_]++=\\s*\\)'; } if ($g_FlexDBShe[$i] == '([^\\?\\s])\\({0,1}\\.[\\+\\*]\\){0,1}\\2[a-z]*e') { $g_FlexDBShe[$i] = '(?J)\\.[+*](?<=(?<d>[^\\?\\s])\\(..|(?<d>[^\\?\\s])..)\\)?\\g{d}[a-z]*e'; } if ($g_FlexDBShe[$i] == '$[a-zA-Z0-9_]\\{\\d+\\}\\s*\\.$[a-zA-Z0-9_]\\{\\d+\\}\\s*\\.$[a-zA-Z0-9_]\\{\\d+\\}\\s*\\.') { $g_FlexDBShe[$i] = '\\$[a-zA-Z0-9_]\\{\\d+\\}\\s*\\.\\$[a-zA-Z0-9_]\\{\\d+\\}\\s*\\.\\$[a-zA-Z0-9_]\\{\\d+\\}\\s*\\.'; } $g_FlexDBShe[$i] = str_replace('http://.+?/.+?\\.php\\?a', 'http://[^?\\s]++(?<=\\.php)\\?a', $g_FlexDBShe[$i]); $g_FlexDBShe[$i] = preg_replace('~\\[a-zA-Z0-9_\\]\\+\\K\\?~', '+', $g_FlexDBShe[$i]); $g_FlexDBShe[$i] = preg_replace('~^\\\\[d]\\+&@~', '&@(?<=\\d..)', $g_FlexDBShe[$i]); $g_FlexDBShe[$i] = str_replace('\\s*[\'"]{0,1}.+?[\'"]{0,1}\\s*', '.+?', $g_FlexDBShe[$i]); $g_FlexDBShe[$i] = str_replace('[\'"]{0,1}.+?[\'"]{0,1}', '.+?', $g_FlexDBShe[$i]); $g_FlexDBShe[$i] = preg_replace('~^\\[\'"\\]\\{0,1\\}\\.?|^@\\*|^\\\\s\\*~', '', $g_FlexDBShe[$i]); $g_FlexDBShe[$i] = preg_replace('~^\\[\'"\\]\\{0,1\\}\\.?|^@\\*|^\\\\s\\*~', '', $g_FlexDBShe[$i]); } optSig($g_FlexDBShe); optSig($g_JSVirSig); optSig($g_AdwareSig); optSig($g_PhishingSig); optSig($g_SusDB); //optSig($g_SusDBPrio); //optSig($g_ExceptFlex); // convert exception rules $cnt = count($g_ExceptFlex); for ($i = 0; $i < $cnt; $i++) { $g_ExceptFlex[$i] = trim(UnwrapObfu($g_ExceptFlex[$i])); if (!strlen($g_ExceptFlex[$i])) { unset($g_ExceptFlex[$i]); } } $g_ExceptFlex = array_values($g_ExceptFlex); }
function QCR_ScanFile($l_Filename, $i = 0) { global $g_IframerFragment, $g_Iframer, $g_Redirect, $g_Doorway, $g_EmptyLink, $g_Structure, $g_Counter, $g_HeuristicType, $g_HeuristicDetected, $g_TotalFolder, $g_TotalFiles, $g_WarningPHP, $g_AdwareList, $g_CriticalPHP, $g_Phishing, $g_CriticalJS, $g_UrlIgnoreList, $g_CriticalJSFragment, $g_PHPCodeInside, $g_PHPCodeInsideFragment, $g_NotRead, $g_WarningPHPFragment, $g_WarningPHPSig, $g_BigFiles, $g_RedirectPHPFragment, $g_EmptyLinkSrc, $g_CriticalPHPSig, $g_CriticalPHPFragment, $g_Base64Fragment, $g_UnixExec, $g_PhishingSigFragment, $g_PhishingFragment, $g_PhishingSig, $g_CriticalJSSig, $g_IframerFragment, $g_CMS, $defaults, $g_AdwareListFragment, $g_KnownList, $g_Vulnerable; global $g_CRC; static $_files_and_ignored = 0; $l_CriticalDetected = false; $l_Stat = stat($l_Filename); if (substr($l_Filename, -1) == DIR_SEPARATOR) { // FOLDER $g_Structure['n'][$i] = $l_Filename; $g_TotalFolder++; printProgress($_files_and_ignored, $l_Filename); return; } QCR_Debug('Scan file ' . $l_Filename); printProgress(++$_files_and_ignored, $l_Filename); // FILE if ((MAX_SIZE_TO_SCAN > 0 and $l_Stat['size'] > MAX_SIZE_TO_SCAN) || $l_Stat['size'] < 0) { $g_BigFiles[] = $i; AddResult($l_Filename, $i); } else { $g_TotalFiles++; $l_TSStartScan = microtime(true); if (filetype($l_Filename) == 'file') { $l_Content = @file_get_contents($l_Filename); $l_Unwrapped = @php_strip_whitespace($l_Filename); } if ($l_Content == '' && $l_Stat['size'] > 0) { $g_NotRead[] = $i; AddResult($l_Filename, $i); } // ignore itself if (strpos($l_Content, 'H24LKHLKJHKLHJGJG4567869869GGHJ') !== false) { return; } // unix executables if (strpos($l_Content, chr(127) . 'ELF') !== false) { $g_UnixExec[] = $l_Filename; return; } $g_CRC = realCRC($l_Content); $l_KnownCRC = $g_CRC + realCRC(basename($l_Filename)); if (isset($g_KnownList[$l_KnownCRC])) { //printProgress(++$_files_and_ignored, $l_Filename); return; } $l_UnicodeContent = detect_utf_encoding($l_Content); //$l_Unwrapped = $l_Content; if ($l_UnicodeContent !== false) { if (function_exists('mb_convert_encoding')) { $l_Unwrapped = mb_convert_encoding($l_Unwrapped, "CP1251"); } else { $g_NotRead[] = $i; AddResult($l_Filename, $i); } } $l_Unwrapped = UnwrapObfu($l_Unwrapped); // check vulnerability in files $l_CriticalDetected = CheckVulnerability($l_Filename, $i, $l_Content); // critical $g_SkipNextCheck = false; if (CriticalPHP($l_Filename, $i, $l_Unwrapped, $l_Pos, $l_SigId)) { $g_CriticalPHP[] = $i; $g_CriticalPHPFragment[] = getFragment($l_Unwrapped, $l_Pos); $g_CriticalPHPSig[] = $l_SigId; $g_SkipNextCheck = true; } else { if (CriticalPHP($l_Filename, $i, $l_Content, $l_Pos, $l_SigId)) { $g_CriticalPHP[] = $i; $g_CriticalPHPFragment[] = getFragment($l_Content, $l_Pos); $g_CriticalPHPSig[] = $l_SigId; $g_SkipNextCheck = true; } } $l_TypeDe = 0; if (!$g_SkipNextCheck && HeuristicChecker($l_Content, $l_TypeDe, $l_Filename)) { $g_HeuristicDetected[] = $i; $g_HeuristicType[] = $l_TypeDe; $l_CriticalDetected = true; } // critical JS if (!$g_SkipNextCheck) { $l_Pos = CriticalJS($l_Filename, $i, $l_Unwrapped, $l_SigId); if ($l_Pos !== false) { $g_CriticalJS[] = $i; $g_CriticalJSFragment[] = getFragment($l_Unwrapped, $l_Pos); $g_CriticalJSSig[] = $l_SigId; $g_SkipNextCheck = true; } } // phishing if (!$g_SkipNextCheck) { $l_Pos = Phishing($l_Filename, $i, $l_Unwrapped, $l_SigId); if ($l_Pos !== false) { $g_Phishing[] = $i; $g_PhishingFragment[] = getFragment($l_Unwrapped, $l_Pos); $g_PhishingSigFragment[] = $l_SigId; $g_SkipNextCheck = true; } } if (!$g_SkipNextCheck) { if (SCAN_ALL_FILES || stripos($l_Filename, 'index.')) { // check iframes if (preg_match_all('|<iframe[^>]+src.+?>|smi', $l_Unwrapped, $l_Found, PREG_SET_ORDER)) { for ($kk = 0; $kk < count($l_Found); $kk++) { $l_Pos = stripos($l_Found[$kk][0], 'http://'); $l_Pos = $l_Pos || stripos($l_Found[$kk][0], 'https://'); $l_Pos = $l_Pos || stripos($l_Found[$kk][0], 'ftp://'); if ($l_Pos !== false && !knowUrl($l_Found[$kk][0])) { $g_Iframer[] = $i; $g_IframerFragment[] = getFragment($l_Found[$kk][0], $l_Pos); $l_CriticalDetected = true; } } } // check empty links if (($defaults['report_mask'] & REPORT_MASK_SPAMLINKS) == REPORT_MASK_SPAMLINKS && preg_match_all('|<a[^>]+href([^>]+?)>(.*?)</a>|smi', $l_Unwrapped, $l_Found, PREG_SET_ORDER)) { for ($kk = 0; $kk < count($l_Found); $kk++) { if (stripos($l_Found[$kk][1], 'http://') !== false && trim(strip_tags($l_Found[$kk][2])) == '') { $l_NeedToAdd = true; if (stripos($l_Found[$kk][1], $default['site_url']) !== false || knowUrl($l_Found[$kk][1])) { $l_NeedToAdd = false; } if ($l_NeedToAdd && count($g_EmptyLink) < MAX_EXT_LINKS) { $g_EmptyLink[] = $i; $g_EmptyLinkSrc[$i][] = substr($l_Found[$kk][0], 0, MAX_PREVIEW_LEN); $l_CriticalDetected = true; } } } } } // check for PHP code inside any type of file if (stripos($l_Filename, '.ph') === false) { $l_Pos = QCR_SearchPHP($l_Content); if ($l_Pos !== false) { $g_PHPCodeInside[] = $i; $g_PHPCodeInsideFragment[] = getFragment($l_Unwrapped, $l_Pos); $l_CriticalDetected = true; } } // htaccess if (stripos($l_Filename, '.htaccess')) { if (stripos($l_Content, 'index.php?name=$1') !== false || stripos($l_Content, 'index.php?m=1') !== false) { $g_SuspDir[] = $i; } $l_HTAContent = preg_replace('|^\\s*#.+$|m', '', $l_Content); $l_Pos = stripos($l_Content, 'auto_prepend_file'); if ($l_Pos !== false) { $g_Redirect[] = $i; $g_RedirectPHPFragment[] = getFragment($l_Content, $l_Pos); $l_CriticalDetected = true; } $l_Pos = stripos($l_Content, 'auto_append_file'); if ($l_Pos !== false) { $g_Redirect[] = $i; $g_RedirectPHPFragment[] = getFragment($l_Content, $l_Pos); $l_CriticalDetected = true; } $l_Pos = stripos($l_Content, '^(%2d|-)[^=]+$'); if ($l_Pos !== false) { $g_Redirect[] = $i; $g_RedirectPHPFragment[] = getFragment($l_Content, $l_Pos); $l_CriticalDetected = true; } if (!$l_CriticalDetected) { $l_Pos = stripos($l_Content, '%{HTTP_USER_AGENT}'); if ($l_Pos !== false) { $g_Redirect[] = $i; $g_RedirectPHPFragment[] = getFragment($l_Content, $l_Pos); $l_CriticalDetected = true; } } if (!$l_CriticalDetected) { if (preg_match_all('|(RewriteCond\\s+%\\{HTTP_HOST\\}/%1 \\!\\^\\[w\\.\\]\\*\\(\\[\\^/\\]\\+\\)/\\\\1\\$\\s+\\[NC\\])|smi', $l_Content, $l_Found, PREG_OFFSET_CAPTURE)) { $g_Redirect[] = $i; $g_RedirectPHPFragment[] = getFragment($l_Content, $l_Found[0][1]); $l_CriticalDetected = true; } } if (!$l_CriticalDetected) { if (preg_match_all("|RewriteRule\\s+.+?\\s+http://(.+?)/.+\\s+\\[.*R=\\d+.*\\]|smi", $l_HTAContent, $l_Found, PREG_SET_ORDER)) { $l_Host = str_replace('www.', '', $_SERVER['HTTP_HOST']); for ($j = 0; $j < sizeof($l_Found); $j++) { $l_Found[$j][1] = str_replace('www.', '', $l_Found[$j][1]); if ($l_Found[$j][1] != $l_Host) { $g_Redirect[] = $i; $l_CriticalDetected = true; break; } } } } unset($l_HTAContent); } // warnings $l_Pos = ''; if (WarningPHP($l_Filename, $l_Unwrapped, $l_Pos, $l_SigId)) { $l_Prio = 1; if (strpos($l_Filename, '.ph') !== false) { $l_Prio = 0; } $g_WarningPHP[$l_Prio][] = $i; $g_WarningPHPFragment[$l_Prio][] = getFragment($l_Content, $l_Pos); $g_WarningPHPSig[] = $l_SigId; $l_CriticalDetected = true; } // adware if (Adware($l_Filename, $l_Unwrapped, $l_Pos)) { $g_AdwareList[] = $i; $g_AdwareListFragment[] = getFragment($l_Unwrapped, $l_Pos); $l_CriticalDetected = true; } // articles if (stripos($l_Filename, 'article_index')) { $g_AdwareSig[] = $i; $l_CriticalDetected = true; } } } // end of if (!$g_SkipNextCheck) { unset($l_Unwrapped); unset($l_Content); //printProgress(++$_files_and_ignored, $l_Filename); $l_TSEndScan = microtime(true); $l_Elapsed = $l_TSEndScan - $l_TSStartScan; if ($l_TSEndScan - $l_TSStartScan >= 0.5) { usleep(SCAN_DELAY * 1000); } if ($g_SkipNextCheck || $l_CriticalDetected) { AddResult($l_Filename, $i); } }